b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                 Weaknesses in Asset Management Controls\n                   Leave Information Technology Assets\n                            Vulnerable to Loss\n\n\n\n                                      September 16, 2013\n\n                              Reference Number: 2013-20-089\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n E-mail Address | TIGTACommunications@tigta.treas.gov\n Website        | http://www.treasury.gov/tigta\n\x0c                                                  HIGHLIGHTS\n\n\nWEAKNESSES IN ASSET MANAGEMENT                        KISAM\xe2\x80\x93Asset Manager are inaccurate and\nCONTROLS LEAVE INFORMATION                            incomplete because the IRS is not following its\nTECHNOLOGY ASSETS VULNERABLE                          procedures to ensure that all assets are\nTO LOSS                                               accurately recorded and timely updated in the\n                                                      KISAM\xe2\x80\x93Asset Manager.\n                                                      TIGTA also found that ineffective inventory\nHighlights                                            controls created an environment where\n                                                      information technology assets are vulnerable to\nFinal Report issued on                                loss. TIGTA selected 146 information\nSeptember 16, 2013                                    technology assets to physically verify and could\n                                                      not locate and verify or find proper supporting\nHighlights of Reference Number: 2013-20-089           documentation for 34 information technology\nto the Internal Revenue Service Chief                 assets worth more than $948,000. In addition,\nTechnology Officer.                                   IRS offices improperly completed the annual\n                                                      inventory reconciliation process.\nIMPACT ON TAXPAYERS\n                                                      WHAT TIGTA RECOMMENDED\nThe IRS Information Technology organization\ncontrols more than 306,000 information                To improve the controls over information\ntechnology assets worth almost $720 million           technology assets, TIGTA recommended that\nusing the Knowledge, Incident/Problem, Service        the Chief Technology Officer ensure that the\nAsset Management (KISAM) system. Our                  inventory records are updated to correct the\nreview determined that weaknesses in controls         deficiencies identified in our review; the\nover asset management create an environment           reconciliation process is effectively completed\nin which information technology assets are            and offices provide supporting documentation\nvulnerable to loss. The risk of loss, theft, or the   for quality review; and dollar threshold criteria\ninadvertent release of sensitive information can      are included in the Asset Management Inventory\ndecrease the public\xe2\x80\x99s confidence in the IRS\xe2\x80\x99s         Certification Plan for certifying information\nability to monitor and use its resources              technology assets with a high-dollar value that\neffectively.                                          affect financial statement reporting. TIGTA also\n                                                      made several recommendations that will help\nWHY TIGTA DID THE AUDIT                               the IRS Information Technology organization\nThis audit was included in our Fiscal Year 2012       ensure that the data captured in its inventory\nAnnual Audit Plan and addresses the major             management system are complete and accurate\nmanagement challenge of Modernization. The            and that its assets are adequately safeguarded\noverall objectives were to determine whether          against theft or loss.\nsystem user permissions were appropriate to           In their response to the report, IRS management\nensure the safeguarding of the information            agreed with all eight recommendations. IRS\ntechnology asset inventory and to review the          management agreed to deliver KISAM Asset\neffectiveness of the system in maintaining an         Manager Tool enhancements for performing\naccurate and complete information technology          asset verification and correct data deficiencies\nasset inventory.                                      identified by TIGTA; develop a missing asset\n                                                      aging report to facilitate researching and\nWHAT TIGTA FOUND\n                                                      resolving assets in a missing status; and update\nTIGTA found that information technology asset         the Fiscal Year 2014 Inventory Certification Plan\ndata successfully migrated from the legacy            to include the verification of the Serial Number\ninventory system to the KISAM\xe2\x80\x93Asset Manager.          field and assets with an acquisition value of\nHowever, the audit log used to capture events         $50,000 or greater.\nwas not being reviewed to ensure that only\nappropriate accesses were made. In addition,\ninformation technology asset data within the\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 16, 2013\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Weaknesses in Asset Management Controls\n                             Leave Information Technology Assets Vulnerable to Loss\n                             (Audit # 201220016)\n\n This report presents the results of our review of the Knowledge, Incident/Problem, Service Asset\n Management system. The overall objectives of this review were to determine whether system\n user permissions were appropriate to ensure the safeguarding of the information technology asset\n inventory and to review the effectiveness of the system in maintaining an accurate and complete\n information technology asset inventory. This audit was included in the Treasury Inspector\n General for Tax Administration\xe2\x80\x99s Fiscal Year 2012 Annual Audit Plan and addresses the major\n management challenge of Modernization.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix VI.\n Copies of this report are also being sent to the Internal Revenue Service managers affected by the\n report recommendations. If you have any questions, please contact me or Alan R. Duncan,\n Assistant Inspector General for Audit (Security and Information Technology Services).\n\x0c                                 Weaknesses in Asset Management Controls\n                           Leave Information Technology Assets Vulnerable to Loss\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 6\n          Asset Data Successfully Migrated Between Inventory\n          Systems; However, Access Controls Need Improvement ............................ Page 6\n                    Recommendation 1:........................................................ Page 7\n\n          Asset Data in the Knowledge, Incident/Problem, Service\n          Asset Management System Are Inaccurate and Incomplete......................... Page 8\n                    Recommendations 2 through 4:......................................... Page 11\n\n          Ineffective Controls Create an Environment in Which\n          Information Technology Assets Are Vulnerable to Loss ............................. Page 11\n                    Recommendations 5 through 8:......................................... Page 15\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objectives, Scope, and Methodology ....................... Page 16\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 18\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 19\n          Appendix IV \xe2\x80\x93 Outcome Measures............................................................... Page 20\n          Appendix V \xe2\x80\x93 Glossary of Terms ................................................................. Page 22\n          Appendix VI \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 25\n\x0c              Weaknesses in Asset Management Controls\n        Leave Information Technology Assets Vulnerable to Loss\n\n\n\n\n                    Abbreviations\n\nAM            Asset Manager\nIRM           Internal Revenue Manual\nIRS           Internal Revenue Service\nIT            Information Technology\nITAMS         Information Technology Asset Management System\nKISAM         Knowledge, Incident/Problem, Service Asset Management\nSACM          Service Asset and Configuration Management\nUNS           User and Network Services\n\x0c                             Weaknesses in Asset Management Controls\n                       Leave Information Technology Assets Vulnerable to Loss\n\n\n\n\n                                           Background\n\nThe User and Network Services (UNS) organization has responsibility, ownership, management,\nand control of information technology equipment in the Internal Revenue Service (IRS). The\nUNS organization\xe2\x80\x99s mission includes certifying the information technology inventory on an\nannual basis and directing Customer Service Support Centers1 to ensure that the information\ntechnology inventory is accurate. Within the UNS organization, the Service Asset and\nConfiguration Management (SACM) organization\xe2\x80\x99s Hardware Asset Management office is\nresponsible for providing oversight, coordination, and guidance on information technology\nequipment management enterprisewide using the Knowledge, Incident/Problem, Service Asset\nManagement (KISAM) system as the management tool. Specifically, the Hardware Asset\nManagement office responsibilities include:\n    \xef\x82\xb7   Developing asset management policies.\n    \xef\x82\xb7   Performing analysis of the Asset Manager (AM) module within the KISAM system and\n        identifying anomalous records.\n    \xef\x82\xb7   Developing and improving processes for asset management and control.\n    \xef\x82\xb7   Monitoring and facilitating execution of the inventory reconciliation and exception plan.\n    \xef\x82\xb7   Working closely with asset owners enterprisewide.\nIn addition, the organizational placement of the Hardware Asset Management office is intended\nto maintain its independence from each UNS organization area and external UNS organization\nentities.2\nIn August and September 2011, the UNS organization replaced the Information Technology\nAsset Management System (ITAMS) with the KISAM system. The Information Technology\n(IT) organization\xe2\x80\x99s Fiscal Year 2011 fourth Quarter Business Performance Review explained\nthat the previous system became outdated and heavily customized, and it no longer provided\nsufficient automation to manage the day-to-day operations. As a result, the IRS implemented the\nKISAM system to improve managing daily operations associated with activities such as asset\nmanagement. In addition, the IRS is in the process of implementing the Information Technology\nInfrastructure Library\xc2\xae process methodology to align information technology services with the\n\n1\n  See Appendix V for a glossary of terms.\n2\n  External UNS organization entities consist of Chief Counsel, Enterprise Networks, Enterprise Operations,\nInformation Resources Accessibility Program, Criminal Investigation, and Real Estate and Facilities Management.\nCriminal Investigation, Chief Counsel, and Real Estate and Facilities Management are permitted to perform\ninventory tasks such as purchasing and disposing of information technology assets assigned to them.\n                                                                                                         Page 1\n\x0c                            Weaknesses in Asset Management Controls\n                      Leave Information Technology Assets Vulnerable to Loss\n\n\n\ncurrent and future needs of the organization. The IRS reported that the IT organization had\nachieved Information Technology Infrastructure Library Maturity Level 3 in October 2012.\nThe IRS implemented the KISAM system in two releases: the Service Manager module and the\nAM module. The UNS organization uses the Service Manager module as the problem\nmanagement reporting tool for all IRS-developed applications and shares information with the\nEnterprise Service Desk. The UNS organization recognizes the KISAM-AM as the sole\nauthoritative source and official inventory record for all information technology assets within the\nIRS [with the exception of information technology software\xe2\x80\x93related assets (to include software\nand software licenses)].\nThe UNS organization controls information technology assets based on specific classifications.\n    \xef\x82\xb7   Class A \xe2\x80\x93 system critical, highly \xe2\x80\x9cpilferable,\xe2\x80\x9d and require significant security\n        considerations or have a high-dollar value. These assets are verified and certified\n        annually. Examples include desktop and laptop computers, high-end scanners, network\n        printers, servers, and routers.\n    \xef\x82\xb7   Class B \xe2\x80\x93 exclusively Personal Digital Assistants or Smartphones. These assets are\n        managed electronically and are certified annually.3\n    \xef\x82\xb7   Class C \xe2\x80\x93 controlled assets with less dollar value than Class A assets that are recorded for\n        important business and operating purposes. Class C assets have an inventory record in\n        the KISAM-AM; however, direction on certification and verification is determined by the\n        Hardware Asset Management office and the annual Asset Management Inventory\n        Certification Plan. Examples include fax machines, low-end scanners, and desktop\n        printers.\n    \xef\x82\xb7   Class D \xe2\x80\x93 \xe2\x80\x9cconsumables\xe2\x80\x9d that are not tracked in the KISAM-AM because they are\n        relatively inexpensive items that are replaced rather than repaired. Examples include\n        mice, keyboards, disk drives, and monitors.\nFigures 1 and 2 illustrate the total number and dollar value of information technology assets\nrecorded in the KISAM-AM as of August 2012.4\n\n\n\n\n3\n  Due to a recent review, we did not include Class B assets in our scope. Treasury Inspector General for Tax\nAdministration, Ref. No. 2013-10-010, Inadequate Aircard and BlackBerry\xc2\xae Smartphone Assignment and\nMonitoring Processes Result in Millions of Dollars in Unnecessary Access Fees (Jan. 2013).\n4\n  The dollar value was obtained by using the acquisition cost reported in the KISAM-AM. TIGTA did not perform\nany independent tests to ensure the accuracy of the cost information reported in the KISAM-AM.\n                                                                                                       Page 2\n\x0c                            Weaknesses in Asset Management Controls\n                      Leave Information Technology Assets Vulnerable to Loss\n\n\n\n               Figure 1: Total Number of Information Technology Assets5\n\n                                                                     Class\xc2\xa0B\n                                                                       862\n\n\n\n                                                                                Class\xc2\xa0C\n                                                                                75,087\n\n                          Class\xc2\xa0A\n                          230,223\n\n\n\n\n                                                          Total\xc2\xa0Number\xc2\xa0of\xc2\xa0Assets\xc2\xa0=\xc2\xa0306,172\n\n                 Source: TIGTA analyses of a KISAM-AM data extract dated August 2012.\n\n             Figure 2: Total Dollar Value of Information Technology Assets\n\n                                                                          Class\xc2\xa0B\n                                                                          $20,990\xc2\xa0\n\n\n                                                                                  Class\xc2\xa0C\n                                                                                $47,209,217\xc2\xa0\n\n\n\n\n                         Class\xc2\xa0A\n                       $672,349,492\xc2\xa0\n\n\n\n\n                                                        Total\xc2\xa0Purchase\xc2\xa0Price\xc2\xa0=\xc2\xa0$719,579,699\n\n                 Source: TIGTA analyses of a KISAM-AM data extract dated August 2012.\n\n\n5\n  There were 529,419 records in the KISAM-AM data extract; however, only 306,172 are information technology\ninventory asset records. The remaining 223,247 records are non\xe2\x80\x93information technology asset records.\n                                                                                                      Page 3\n\x0c                          Weaknesses in Asset Management Controls\n                    Leave Information Technology Assets Vulnerable to Loss\n\n\n\nThe UNS organization issues the Annual Asset Management Inventory Certification Plan\n(hereafter referred to as the Certification Plan) to facilitate the annual reconciliation and\nverification of assets to the KISAM-AM. Certification Plan goals include locating and verifying\nthe existence of all controlled Class A and Class B assets, leveraging opportunities to verify\nClass C assets, verifying and confirming that a KISAM-AM inventory record is associated with\nevery controlled asset in the IRS, and certifying the accuracy of key KISAM-AM data fields.\nThe Certification Plan also acknowledges that increasing and maintaining the accuracy and\ncompleteness of all information technology assets in the KISAM-AM is critical in assessing and\nmonitoring asset inventory as well as meeting the current and future needs of the organization.\nThe annual certification cycle for asset verification activities occurs from October 1 through\nJune 30 each fiscal year. During this time, all IT organizations work with the SACM\norganization to validate and certify a complete and thorough inventory. At the close of the\ncertification period, the Hardware Asset Management office provides certifying organizations\n(e.g., the Field Directors for each UNS organization Customer Service Support Center) with\ndetailed information about asset records under their control. The information consists of\nAnomaly Reports, a Certification Letter, and a Reconciliation Plan Letter. All organizations\nmust return the Certification and the Reconciliation Plan Letters, both signed by the official\nrepresenting the organization. The signed Certification Letter states that an inventory of all\nassets requiring certification has been completed according to the Certification Plan. The signed\nReconciliation Plan Letter includes a commitment to address and correct by fiscal year end any\nanomalous asset records and error conditions, including unverified Class A and Class B assets,\nreported in the Reconciliation Plan Letter. The reconciliation period begins July 1 and concludes\nby September 30 each fiscal year.\nThe Hardware Asset Management office leverages a combination of electronic and physical\nverification methods to verify assets. Shifting from a periodic physical wall-to-wall inventory,\nthe SACM organization continues to promote and implement a perpetual inventory process by\ncapturing changes to asset inventory in real-time. The SACM organization uses two electronic\ntools for verification of assets: a barcode scan and an automated or manual update through a\nnetwork scanning tool such as Tivoli. The SACM organization also uses three physical\nverification methods: customer self-certification, a physical touch of the asset (i.e., asset move,\nadd, change, maintenance, or physical inventory), and a documented customer interaction, such\nas a service ticket. To verify an asset, certain KISAM-AM date fields need to be populated with\na date of October 1 or later in the appropriate fiscal year. Once a date field has been updated, the\nasset is considered verified.\nThis review was performed at the UNS organization offices at the Brookhaven Campus (which\nincludes the Depot) in Brookhaven, New York, and the New Carrollton Federal Building in\nLanham, Maryland, during the period October 2012 through June 2013. We conducted this\nperformance audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\n\n                                                                                             Page 4\n\x0c                          Weaknesses in Asset Management Controls\n                    Leave Information Technology Assets Vulnerable to Loss\n\n\n\nprovide a reasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objectives. Detailed information on our audit objectives, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n                                                                                          Page 5\n\x0c                            Weaknesses in Asset Management Controls\n                      Leave Information Technology Assets Vulnerable to Loss\n\n\n\n\n                                    Results of Review\n\nAsset Data Successfully Migrated Between Inventory Systems;\nHowever, Access Controls Need Improvement\nFrom July 14 through August 25, 2011, the KISAM Project Management office worked on\nmigrating and validating data from the ITAMS to the KISAM-AM. To ensure a successful\ntransition, the SACM organization issued guidance communicating a suspension of certain asset\nmanagement activities, e.g., processing asset disposals during the transition period. The SACM\norganization provided us with the criteria used to identify each subset of asset data in the ITAMS\nprior to the migration and the corresponding record counts for the same subset of data in the\nKISAM-AM. The SACM organization also provided explanations when differences between the\nreported datasets occurred. For example, the August 2011 ITAMS data extract showed that there\nwere 230,727 assets with an assignment status of \xe2\x80\x9cin use\xe2\x80\x9d at the time of migration. According to\nthe SACM organization, the KISAM-AM data reported 221,2136 assets with an assignment\nstatus of \xe2\x80\x9cin use;\xe2\x80\x9d management explained that the almost 10,000 asset difference was due to\n4,855 BlackBerrys that did not migrate until after the KISAM-AM was implemented and\n4,660 assets assigned to the Volunteer Income Tax Assistance program that changed to an \xe2\x80\x9cin\nstock\xe2\x80\x9d assignment status.\nUsing the August 2011 ITAMS and the October 2011 KISAM-AM data, we followed the\nmigration steps and compared the two data sets to ensure that all inventory records migrated.\nOur initial analyses showed that the total number of records migrated did not match the figures\nprovided by SACM organization management, differing by only 38 records. However, upon\nreviewing our identified discrepancies, SACM organization management provided support to\nshow these 38 assets were in the KISAM-AM under a different barcode number. Each of these\nrecords had a barcode replaced, resulting either from a worn barcode or replacement asset.\nWe also conducted tests to ensure that sufficient system controls were in place to protect access\nto the KISAM system data. Our tests determined that the KISAM application, database, and\noperating system complied with password management requirements outlined in Internal\nRevenue Manual (IRM) 10.8.1, Password (Authentication) Management. However, our review\nof the switch user log (audit log) identified three individuals who accessed the KISAM system\ndatabase using a system account and without a need to know. These three individuals are not\ndatabase administrators and should not have access to the database system account or the\npassword for the account. This suggests a security weakness exists within the KISAM system\n\n6\n One asset migrated to the KISAM-AM \xe2\x80\x9cin use\xe2\x80\x9d assignment status from an ITAMS \xe2\x80\x9cin stock\xe2\x80\x9d assignment status\n(230,727 \xe2\x80\x93 4,855 \xe2\x80\x93 4,660 + 1 = 221,213).\n                                                                                                     Page 6\n\x0c                          Weaknesses in Asset Management Controls\n                    Leave Information Technology Assets Vulnerable to Loss\n\n\n\ninfrastructure, and at this time we cannot be assured that the data within the KISAM system are\nprotected from accidental or malicious altering.\nIRM 10.8.3, Audit Logging Security Standards, establishes agencywide policy for the collection\nand processing of computer-generated event logs, also called audit logs. Audit capabilities apply\nto all aspects of a system, including operating systems, database systems, and applications. The\nIRM further prescribes that the audit trails be used by security specialists within the IRS to help\naccomplish several security-related objectives, such as individual accountability.\nDuring our meeting to discuss the results of this audit, IRS management indicated that due to\nresource availability they made a risk-based decision to allow database administrators to perform\ntasks using the database system account by invoking the switch user command. IRS\nmanagement advised us that the switch user audit logs were reviewed by security analysts within\nthe Cybersecurity organization. When we followed up to request documentation to support these\nclaims, IRS management provided a document explaining that the switch user command had\nbeen in place for many years and preceded the risk-based decision document requirement. We\nalso discussed the audit log review process with representatives from the Enterprise Security\nAudit Trails group (within IRS\xe2\x80\x99s Cybersecurity organization), who explained that a process is in\nplace to review these logs; however, it has yet to be implemented for the KISAM system\napplication and its infrastructure.\nAlthough the switch user login events are recorded in an audit log, no one is currently reviewing\nthe log to ensure that only appropriate accesses are made. This is because the Enterprise\nSecurity Audit Trails group is currently working on developing reports to facilitate reviewing the\naudit log events. Until this occurs, we believe that the IRS needs to develop an interim,\nmitigating control to review the audit logs.\n\nRecommendation\nThe Chief Technology Officer should:\nRecommendation 1: Ensure that the switch user log for the KISAM system is reviewed\nwhile the Enterprise Security Audit Trails group works on developing and implementing the full\nfunctionality of its automated tools.\n       Management\xe2\x80\x99s Response: IRS management agreed with the recommendation and\n       will ensure that the switch user log for the KISAM system is reviewed while the\n       Enterprise Security Audit Trails group works on developing and implementing the full\n       functionality of its automated tools.\n\n\n\n\n                                                                                            Page 7\n\x0c                              Weaknesses in Asset Management Controls\n                        Leave Information Technology Assets Vulnerable to Loss\n\n\n\nAsset Data in the Knowledge, Incident/Problem, Service Asset\nManagement System Are Inaccurate and Incomplete\nAlthough the SACM organization established procedures to ensure the accuracy of its\ninformation technology asset records within the KISAM-AM, procedures are not being followed.\nAs a result, the KISAM-AM contains incomplete and inaccurate information. Specifically, we\nidentified inaccurate information in the KISAM-AM relating to the information technology\nassets we physically verified. We also found that some items selected for verification from the\n\xe2\x80\x9cfloor\xe2\x80\x9d were not recorded in the KISAM-AM and some inventory updates were not timely made.\nThese conditions occurred because of a reduction in staff resulting from the prior\nEnd-User Equipment and Services reorganization.7 An inaccurate and incomplete inventory\nsystem decreases data integrity and exposes the IRS to the loss or theft of its assets.\n\nSome assets could not be located and some assets that could be physically\nverified had inaccurate data recorded in the KISAM-AM\nOf the 242 assets in our judgmental sample,8 we physically located and verified 186 assets. We\ncould not locate 30 assets, and 26 assets were in \xe2\x80\x9cmissing\xe2\x80\x9d or \xe2\x80\x9cretired\xe2\x80\x9d status. There were\n61 assets with inaccurate data in fields that should be reviewed for accuracy during the annual\ninventory, as shown below:\n    \xef\x82\xb7    31 assets with inaccurate entries in the Assignment field (e.g., four items were classified\n         in the KISAM-AM in a \xe2\x80\x9cmissing\xe2\x80\x9d status, yet we located the assets during our site visits).\n    \xef\x82\xb7    16 assets with inaccurate entries in more than one required field.\n    \xef\x82\xb7    8 assets with incorrect entries in the User Name field.\n    \xef\x82\xb7    6 assets with inaccurate entries in the Building Code field.\nFigure 3 lists the minimum required data fields that must be kept current and accurate for each\nasset record within the KISAM-AM per IRM 2.14.1, Asset Management, Information\nTechnology Asset Management. The figure also provides a definition for each field and\nidentifies whether the SACM organization requires the field to be verified during the annual\ninventory.\n\n\n\n\n7\n  On April 22, 2012, the End-User Equipment and Services organization merged with the Enterprise Networks\norganization to form the User and Network Services organization.\n8\n  A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n                                                                                                              Page 8\n\x0c                              Weaknesses in Asset Management Controls\n                        Leave Information Technology Assets Vulnerable to Loss\n\n\n\n                    Figure 3: Minimum Required KISAM-AM Data Fields\n                 to Be Kept Current and Accurate and the Field Definitions\n\n                               Verified\n        KISAM-AM\n                               During                                Definition\n        Field Name\n                              Inventory\n     Assignment                  Yes          Provides the status of an asset at any given time.\n     Barcode                     Yes          A permanent sticker with a unique series of lines printed on it,\n                                              which is attached to an information technology asset for quick\n                                              identification by a scanner.\n     Serial Number                No          A unique, identifying number or group of numbers and letters\n                                              assigned to an individual asset.\n     Building Code               Yes          Identifies the building and address of the asset location.\n     Cost Center                  No          Identifies the organization (e.g., Enterprise Operations) primarily\n                                              responsible for the asset. The data are auto-populated from\n                                              another source.\n     System Name                  No          Used to improve tracking and management of \xe2\x80\x9cin stock\xe2\x80\x9d\n                                              equipment. Also used to identify special equipment used within\n                                              the IRS (e.g., Common Premise Capability equipment used to\n                                              support Voice Over Internet Protocol).\n     Computer Name                No          Populated for computers only. Provides information about the\n                                              computer and is used to help with electronic touches via Tivoli.\n     Contact Name9                No          Records the primary user of IRS-owned assets. Assets that are\n                                              not assigned to a primary user are identified as \xe2\x80\x9cshared\xe2\x80\x9d assets.\n    Source: TIGTA analysis of IRM 2.14.1 and Fiscal Year 2012 Asset Management Inventory Certification Plan.\n\nWe also identified an additional 22 assets in our sample with inaccurate data recorded in the\nKISAM-AM Serial Number field. A further analysis of the KISAM-AM data identified\n1,123 asset records with the same entries in the Serial Number field (e.g., 0000000 or 1234) and\n22 asset records where the Serial Number field contained an invalid character. According to the\nIRM, the Serial Number field consists of alphanumeric characters and can include dashes, which\nare the only special character allowed. Further, the Serial Number field is protected and cannot\nbe changed after initial entry unless a service desk ticket is submitted.\nAlthough the SACM organization does not currently require independent verification of the\nSerial Number field, we believe this should be added to the Certification Plan requirements,\nespecially because there are several other information technology asset management processes\n\n9\n  The Contact Name data field is different from the User Name data field in the KISAM-AM. While the IRM\nrequires the Contact Name field to be kept current and accurate, the Certification Plan requires verification of the\nUser Name field.\n                                                                                                                  Page 9\n\x0c                              Weaknesses in Asset Management Controls\n                        Leave Information Technology Assets Vulnerable to Loss\n\n\n\n(e.g., asset disposal and purchase of maintenance) that require both the barcode and serial\nnumber to identify each asset. Further, the SACM organization acknowledges in the IRM that\nefforts to locate assets by serial number sometimes fail due to inconsistencies in the data.\nWe also analyzed two other required data fields in the KISAM-AM and identified the following:\n     \xef\x82\xb7   20,546 asset records with blank Cost Center fields (the Cost Center field should be\n         auto-populated).\n     \xef\x82\xb7   38,774 assets in an \xe2\x80\x9cin stock\xe2\x80\x9d status had an invalid entry in the System Name field.\nAccording to the IRM, standard recording of assets in an \xe2\x80\x9cin stock\xe2\x80\x9d assignment status assists\nwith the proper identification, monitoring, and control of the assets. Using the System Name\nfield in the KISAM-AM allows offices to more efficiently manage their equipment assigned with\nan \xe2\x80\x9cin stock\xe2\x80\x9d status. Acceptable entries in the System Name field include \xe2\x80\x9cgeneral refreshment,\xe2\x80\x9d\n\xe2\x80\x9cdepot local,\xe2\x80\x9d \xe2\x80\x9cdepot project,\xe2\x80\x9d and \xe2\x80\x9cnational depot.\xe2\x80\x9d Analysis of the KISAM-AM data showed\nthat 34,488 of the assets with an \xe2\x80\x9cin stock\xe2\x80\x9d status used the default entry of \xe2\x80\x9cadmin\xe2\x80\x9d for the\nSystem Name field. Additionally, approximately 80 percent (27,515 of 34,488) of these asset\nrecords with the default entry of \xe2\x80\x9cadmin\xe2\x80\x9d also had entries in the Organization Code field. The\nIRM states that the Organization Code field can be used for whatever the IT organization staff\ndeems necessary to manage assets, with the exception of assets in an \xe2\x80\x9cin stock\xe2\x80\x9d status.\n\nRequired asset information was not timely updated in the KISAM-AM\nOur review also identified 21 of 242 assets for which information about the asset was not timely\nupdated in the KISAM-AM. For example, we identified five assets assigned to a user who\nretired in 2011; however, the August 2012 KISAM-AM data still showed the assets assigned to\nthe former employee. According to IRM 2.14.1, all updates to asset data must be completed\nwithin 10 days. Additionally, the UNS organization information technology specialists will use\nthe electronic move, add, and change form to document inventory changes in the KISAM-AM\nwithin 10 days from the change request. To further enhance the accuracy of the data within the\nKISAM-AM and ensure that the SACM organization meets its goal of implementing a perpetual\ninventory system, any changes to information technology assets must be timely updated in the\nKISAM-AM.\n\nAssets selected for verification from the floor were not recorded in the\nKISAM-AM\nWe also judgmentally selected 96 assets from the floor during our verification testing and traced\nthe items to determine if they were recorded and controlled on the KISAM-AM. Thirteen assets\ntotaling approximately $153,869 were not controlled in the KISAM-AM.10 These items included\n\n10\n  The dollar value is underestimated because we did not capture sufficient information for four of the 13 assets from\none of the locations visited and could not research the KISAM-AM to obtain an estimated cost for those assets.\n                                                                                                           Page 10\n\x0c                          Weaknesses in Asset Management Controls\n                    Leave Information Technology Assets Vulnerable to Loss\n\n\n\na degausser (used to wipe sensitive data from storage media), a computer, and a printer. These\nitems present a greater risk of being lost or stolen because they are not controlled on the\ninventory system. IRM 2.14.1 provides instructions that if assets are found on the floor during\nthe annual inventory, the KISAM-AM must be updated within 10 days.\n\nRecommendations\nThe Chief Technology Officer should:\nRecommendation 2: Update the Certification Plan to include the requirement to verify the\naccuracy of the data reported in the Serial Number field.\n       Management\xe2\x80\x99s Response: IRS management agreed with the recommendation and\n       will update the Fiscal Year 2014 Certification Plan to include the requirement that the\n       Serial Number field be verified and validated for all assets requiring certification.\nRecommendation 3: Ensure that the KISAM-AM information is timely updated and\nmaintained.\n       Management\xe2\x80\x99s Response: IRS management partially agreed with the\n       recommendation and will deliver KISAM Asset Manager Tool enhancements for\n       performing asset verification and systemic asset updates for service asset transactions and\n       events documented within Service Manager if and when funding is available.\nRecommendation 4: Create additional anomaly reports for the minimum required\nKISAM-AM data fields to facilitate ensuring that only valid entries are provided.\n       Management\xe2\x80\x99s Response: IRS management agreed with the recommendation and\n       will engage asset owners and stakeholders to solicit feedback and requirements for new\n       asset data anomaly reports to facilitate anomaly resolution and verification activities.\n       They also stated that any necessary new reports will be created.\n\nIneffective Controls Create an Environment in Which Information\nTechnology Assets Are Vulnerable to Loss\nOur review identified several conditions demonstrating the IT organization\xe2\x80\x99s inability to\nmaintain effective controls over its information technology assets. For, example, we visited the\nBrookhaven Campus (which included a Depot location) and the New Carrollton Federal Building\nand physically located and verified information technology assets controlled in the KISAM-AM\n(referred to as book-to-floor testing). We judgmentally selected a sample of 146 information\ntechnology assets from a population of 47,857 assets recorded in the KISAM-AM. We could not\nlocate and verify or find proper supporting documentation for 34 assets valued at $948,310.\n\n\n\n                                                                                          Page 11\n\x0c                           Weaknesses in Asset Management Controls\n                     Leave Information Technology Assets Vulnerable to Loss\n\n\n\nAs previously mentioned, we also judgmentally selected a sample of 96 information technology\nassets located in the offices to verify if these items were controlled in the KISAM-AM (referred\nto as floor-to-book testing). Our results showed that 12 information technology assets valued at\nan estimated $28,869 were not controlled in the KISAM-AM.\n\nOffices improperly completed the annual inventory reconciliation process\nIRS offices did not always properly conduct the reconciliation of information technology assets\nbecause they did not have sufficient resources to properly follow up and resolve those asset\nrecords identified by the SACM organization as needing updating or correcting. As of\nJuly 2012, the start of the reconciliation period, a total of 17,162 Class A and B assets in the\nKISAM-AM had not been physically or electronically verified. The two offices selected for our\nreview committed to address and resolve outstanding issues identified during the annual\ninventory by the end of the fiscal year (i.e., September 30, 2012). When we conducted our\non-site testing in November and December 2012, well after the close of the reconciliation period,\nwe could not locate 30 information technology assets, 17 (13 Class A and 4 Class C) of which\nappeared on the offices\xe2\x80\x99 reconciliation plan lists dated July 2012. Sixteen of the 17 assets\nappeared in the reconciliation plan lists as either \xe2\x80\x9caged in stock\xe2\x80\x9d (8), or \xe2\x80\x9cunverified\xe2\x80\x9d (8),\nsuggesting that at that time they existed within the IRS environment. One of the 17 assets\nappeared in the reconciliation plan as \xe2\x80\x9caged awaiting receipt.\xe2\x80\x9d The 17 assets had an acquisition\nvalue totaling $800,554 and included a laptop and desktop computer, a server, and a network\nprinter.\nIRM 2.14.1 describes reconciliation as the process of matching information gathered at the time\nof the inventory (e.g., via self-certification, Tivoli scan, barcode scan) with what is recorded in\nthe KISAM-AM. The IRM further states that offices have until the end of the fiscal year to\nresolve any outstanding errors found during the analysis. The Certification Plan describes\nanomaly reporting as identifying inconsistencies within the KISAM-AM data (e.g., assets that do\nnot have a verification date) or lifecycle control issues (e.g., assets in a status longer than they\nshould be). Every effort should be made to update the KISAM-AM expeditiously to correct data\nerrors or document asset transactions. The Certification Plan also states that it is imperative that\nall \xe2\x80\x9cunverified\xe2\x80\x9d asset records are updated if the asset is located or surveyed off the database if the\nasset is determined to be unaccounted for or missing. The SACM organization, in conjunction\nwith asset owners and stakeholders, will work to resolve critical asset data anomalies and\ncomplete the requirements of the Certification Plan during the reconciliation period.\nThe Certification Plan describes \xe2\x80\x9caged in stock\xe2\x80\x9d assets as those that are out of warranty and too\ncostly to repair. Offices should use information about \xe2\x80\x9caged in stock\xe2\x80\x9d assets to reduce the\nnumber of assets in that status. Eight of the assets we could not locate during our review\nappeared on the \xe2\x80\x9caged in stock\xe2\x80\x9d list and still showed in an \xe2\x80\x9cin stock\xe2\x80\x9d status per an updated\nKISAM-AM extract dated December 2012. Similarly, eight of the assets we could not locate\nduring our review appeared on the unverified assets list, yet updated KISAM-AM data showed\nthese assets as still in the \xe2\x80\x9cin stock\xe2\x80\x9d or \xe2\x80\x9cin use\xe2\x80\x9d statuses. For the one asset that appeared on the\n                                                                                             Page 12\n\x0c                              Weaknesses in Asset Management Controls\n                        Leave Information Technology Assets Vulnerable to Loss\n\n\n\n\xe2\x80\x9caged awaiting receipt\xe2\x80\x9d report, the updated KISAM-AM data showed that the asset had moved to\nan \xe2\x80\x9cin stock\xe2\x80\x9d status; however, we could not locate the asset during our visit.\nThese continued data discrepancies indicate that the IRS offices did not effectively complete the\nreconciliation process and correct the data errors prior to the end of September 2012. Further,\nbecause we could not locate and UNS organization staff could not provide us with\ndocumentation to support whether the 17 assets in question were either relocated to another\norganization/office or disposed, we have no assurance that those assets with storage media\n(e.g., server, laptop computer, desktop computer) did not contain any sensitive information.\nSACM organization management needs to take additional steps to ensure that asset owners\nresolve all outstanding issues during the reconciliation period. Otherwise, information\ntechnology assets will continue to be at risk of loss and management will be unable to rely on the\ndata within the KISAM-AM to make business decisions.\n\nInsufficient steps were taken to recover missing assets\nOffices are not taking sufficient steps to recover assets placed in a temporary \xe2\x80\x9cmissing\xe2\x80\x9d status\nbecause they do not have the resources available to track down the assets and because the reports\nused by the offices to track down missing assets did not provide disposal information. Sixteen of\nthe 146 assets judgmentally selected from our sample of the KISAM-AM records were\ncategorized in the KISAM-AM in a \xe2\x80\x9cmissing\xe2\x80\x9d status, 13 of which appeared on the offices\xe2\x80\x99\nreconciliation lists as missing and requiring resolution. During our on-site visits, which occurred\nafter the end of the reconciliation period, we physically located and verified four of the assets\nand were provided documentation supporting the disposition of another eight assets.11 The\nKISAM-AM status for these 12 assets still showed as \xe2\x80\x9cmissing\xe2\x80\x9d several months after the end of\nthe reconciliation period, whereas the assets\xe2\x80\x99 statuses should have been updated during the\nreconciliation period to a status other than \xe2\x80\x9cmissing.\xe2\x80\x9d\nAccording to IRM 2.14.1, assets placed in a temporary \xe2\x80\x9cmissing\xe2\x80\x9d status will appear on an\nanomaly report if those asset records have not been updated after 60 days. Offices are required\nto reconcile their missing assets by the end of the fiscal year in which the inventory began. The\nIRM prescribes detailed steps offices should take to help with locating missing assets. These\nsteps include, but are not limited to, checking when the asset was last scanned by Tivoli,\nphysically searching for the asset based on location information recorded in the KISAM-AM,\ncalling the contact person listed in the KISAM-AM, and \xe2\x80\x9cpinging\xe2\x80\x9d the asset if it is a desktop or\nlaptop computer. After all efforts have been made to locate the missing assets, offices may\nproceed with paperwork to \xe2\x80\x9csurvey\xe2\x80\x9d or remove the asset record from the active inventory in the\nKISAM-AM.\n\n\n\n11\n  For the remaining four assets, the IRS did not provide sufficient documentation to explain why the assets\ncontinued to remain in a \xe2\x80\x9cmissing\xe2\x80\x9d status or why they had not been removed from the KISAM-AM.\n                                                                                                              Page 13\n\x0c                          Weaknesses in Asset Management Controls\n                    Leave Information Technology Assets Vulnerable to Loss\n\n\n\nOur review of the KISAM-AM data for the eight disposed assets determined that each asset\nrecord provided an IRS report number identifying the disposal documentation. The IRS report\nnumber was not included in the missing asset lists provided to the offices for resolution. Had\nthis information been included, these assets could have been resolved by obtaining the\ndocumentation to confirm the disposition of the assets and updating the KISAM-AM to reflect\nthe disposition date. We successfully physically located and verified four assets only after our\ninquiries led SACM organization personnel to contact the users listed in the KISAM-AM, steps\nthat should have been taken prior to fiscal year end.\nWe also observed three instances where offices surveyed (or removed from the KISAM-AM\nactive inventory) a combined total of 423 assets during March and June 2012. This occurred\nprior to receiving a Reconciliation Plan Letter, which is typically distributed on July 13 of each\nfiscal year. For two of the instances, SACM organization personnel specifically stated that the\nassets could not be located and were thus surveyed from the KISAM-AM active inventory. The\nthird instance was a follow-up on asset records that migrated from the ITAMS to the KISAM\nsystem and could not be found. These assets, with an acquisition cost of more than $1.1 million,\nincluded desktop and laptop computers and servers. According to the disposal documentation,\nthe responsible asset owners removed the assets from the KISAM-AM active inventory, stating\nthe assets were \xe2\x80\x9clost\xe2\x80\x9d on March 28, 2012, March 29, 2012, and June 25, 2012, respectively.\nWhile we understand it may be necessary to survey asset records from the KISAM-AM from\ntime to time, this practice should not become routine. If IRS employees survey missing assets\nwithout taking appropriate actions to locate the assets, then the employees will be burdened by\nadditional steps to reinstate these asset records when they do eventually locate the asset.\n\nHigh-valued information technology assets used in financial statement reporting\nare not subject to annual inventory\nOur analysis of KISAM-AM data identified 60 Class C information technology assets worth\nalmost $5.9 million that met the financial statement reporting requirements because 38 of the\nassets are information technology assets and 22 of the assets are other equipment that met the\ncost and useful life thresholds for financial statement reporting purposes. However, 45 of these\ninformation technology assets were not verified during Fiscal Year 2012. This occurred because\nthe IRS did not incorporate guidance into the Certification Plan to consider the acquisition value\nof assets during the annual inventory. These assets are of particular concern because they meet\nthe dollar criteria for financial statement reporting purposes.\nAccording to IRM 1.35.6, Property and Equipment Accounting, the IRS will capitalize\ninformation technology equipment, regardless of price or value, unless it is specifically exempted\nas expendable equipment. The IRM further provides that equipment designated as other\nequipment will be capitalized when the requisition funding line is greater than or equal to\n$50,000 and has a useful life greater than two years. Because these 60 high-value information\ntechnology assets affect the IRS\xe2\x80\x99s financial statements, every effort should have been made to\nverify them during the annual inventory and ensure the accuracy of the financial statements.\n                                                                                          Page 14\n\x0c                          Weaknesses in Asset Management Controls\n                    Leave Information Technology Assets Vulnerable to Loss\n\n\n\nRecommendations\nThe Chief Technology Officer should:\nRecommendation 5: Ensure that the KISAM-AM records are updated to correct the\ndeficiencies identified in our review and provided to management.\n       Management\xe2\x80\x99s Response: IRS management agreed with the recommendation and\n       will perform data review and analysis to correct deficiencies we identified and update\n       KISAM-AM accordingly with current and complete information.\nRecommendation 6: Ensure that the reconciliation process is effectively completed and have\noffices provide supporting documentation to the SACM organization for quality review.\n       Management\xe2\x80\x99s Response: IRS management agreed with the recommendation and\n       will implement and communicate process controls for follow-up actions with the\n       responsible and accountable asset owners. They will also use an Enterprise Governance\n       Board to monitor compliance.\nRecommendation 7: Include additional data in the missing asset anomaly report\n(e.g., disposal information) to allow offices to resolve these assets.\n       Management\xe2\x80\x99s Response: IRS management agreed with the recommendation and\n       will develop a missing asset aging anomaly report including appropriate data fields to\n       facilitate researching and resolving assets in a missing status.\nRecommendation 8: Include dollar threshold criteria in the Certification Plan for certifying\ninformation technology assets with a high-dollar value that affect financial statement reporting.\n       Management\xe2\x80\x99s Response: IRS management agreed with the recommendation and\n       will update the FY 2014 and all future Certification Plans to require that assets with an\n       acquisition value of $50,000 or greater be verified and certified.\n\n\n\n\n                                                                                           Page 15\n\x0c                              Weaknesses in Asset Management Controls\n                        Leave Information Technology Assets Vulnerable to Loss\n\n\n\n                                                                                                   Appendix I\n\n         Detailed Objectives, Scope, and Methodology\n\nOur overall objectives were to determine whether system user permissions were appropriate to\nensure the safeguarding of the information technology asset inventory and to review the\neffectiveness of the system in maintaining an accurate and complete information technology\nasset inventory. To accomplish our objectives, we:\nI.       Evaluated the effectiveness of the general information technology access controls and\n         determined whether the KISAM system is properly safeguarded from unauthorized\n         access and changes.\n         A. Ensured the passwords for the application, database, and operating system complied\n            with policies outlined in the IRM.\n         B. Reviewed information generated from the audit log to ensure that only appropriate\n            individuals accessed the database.\nII.      Assessed the effectiveness of the inventory management controls to ensure the accuracy\n         and reliability of the KISAM system to safeguard assets from fraud, waste, and abuse.\n         A. Analyzed the KISAM-AM data as of August 13, 2012, and identified\n            306,172 information technology assets with an acquisition cost of approximately\n            $719 million. The IT Headquarters office in New Carrollton, Maryland, and the\n            Depot in Brookhaven, New York, were judgmentally1 selected based on factors such\n            as having a high Classes A and C asset count and a high total Classes A and C asset\n            value. We used judgmental sampling because we determined that statistical sampling\n            techniques would have been cost prohibitive and we did not plan to project our results\n            to the entire population.\n         B. Conducted a physical verification of information technology assets, excluding\n            Class B assets,2 listed in the KISAM-AM and assigned to the two offices in our\n            review.\n             1. Analyzed information technology assets and identified assets assigned to the\n                following statuses: \xe2\x80\x9cin use,\xe2\x80\x9d \xe2\x80\x9cawaiting receipt,\xe2\x80\x9d \xe2\x80\x9cin stock,\xe2\x80\x9d and \xe2\x80\x9cretired.\xe2\x80\x9d\n\n\n\n1\n A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n2\n Due to a recent review, we did not include Class B assets in our scope. Treasury Inspector General for Tax\nAdministration, Ref. No. 2013-10-010, Inadequate Aircard and BlackBerry\xc2\xae Smartphone Assignment and\nMonitoring Processes Result in Millions of Dollars in Unnecessary Access Fees (Jan. 2013).\n                                                                                                            Page 16\n\x0c                          Weaknesses in Asset Management Controls\n                    Leave Information Technology Assets Vulnerable to Loss\n\n\n\n           2. Judgmentally selected 146 information technology assets (from a population of\n              47,857) assigned to the two offices. We used judgmental sampling because we\n              determined that statistical sampling techniques would have been cost prohibitive\n              and we did not plan to project our results to the entire population.\n           3. Physically verified 116 of the 146 information technology assets at the two\n              offices.\n       C. Judgmentally selected from the \xe2\x80\x9cfloor\xe2\x80\x9d a total of 96 information technology assets\n          from the two offices and determined whether the information technology assets were\n          properly controlled in the KISAM-AM. We used judgmental sampling because we\n          could not determine the population of all information technology assets in these\n          offices.\n       D. Reviewed the Fiscal Year 2012 inventory verification and reconciliation process for\n          each office.\n       E. Analyzed the KISAM-AM data to identify data inaccuracies in those fields where the\n          IRM and Certification Plan require accurate information.\nIII.   Evaluated the results from migrating inventory data from the ITAMS to the KISAM\n       system to ensure that 100 percent of the inventory records were accounted for.\n       A. Obtained an ITAMS data extract and compared it to the KISAM system data to\n          ensure that all the information related to the assets was migrated.\n       B. Requested a detailed walk-through of the data migration/validation contractor/\n          developer-prepared deliverables and, where warranted, requested additional\n          supporting documentation.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: UNS organization\xe2\x80\x99s policies, procedures,\nand practices relating to information technology asset management and inventory; policies and\nprocedures relating to access security controls; and asset migration strategy, procedures, and\npractices. We evaluated these controls by interviewing UNS organization management and IT\norganization staff, asset users, and access security managers; reviewing relevant documentation;\nand analyzing the KISAM-AM data.\n\n\n\n\n                                                                                         Page 17\n\x0c                         Weaknesses in Asset Management Controls\n                   Leave Information Technology Assets Vulnerable to Loss\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nDanny Verneuille, Director\nDiana Tengesdal, Audit Manager\nMark Carder, Lead Auditor\nRichard Borst, Senior Auditor\nLara Phillippe, Auditor\nKevin Liu, Information Technology Specialist\n\n\n\n\n                                                                                     Page 18\n\x0c                        Weaknesses in Asset Management Controls\n                  Leave Information Technology Assets Vulnerable to Loss\n\n\n\n                                                                            Appendix III\n\n                        Report Distribution List\n\nActing Commissioner\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Chief Information Officer for Operations OS:CTO\nAssociate Chief Information Officer, Enterprise Operations OS:CTO:EO\nAssociate Chief Information Officer, User and Network Services OS:CTO:UNS\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                                  Page 19\n\x0c                             Weaknesses in Asset Management Controls\n                       Leave Information Technology Assets Vulnerable to Loss\n\n\n\n                                                                                            Appendix IV\n\n                                   Outcome Measures\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective actions will have on tax administration. These benefits will be incorporated into our\nSemiannual Report to Congress.\n\nType and Value of Outcome Measure:\n\xef\x82\xb7   Reliability of Information \xe2\x80\x93 Potential; 60,548 information technology asset records with\n    incorrect or invalid entries in fields that are required to be accurate (see page 8).\n\nMethodology Used to Measure the Reported Benefit:\n    \xef\x82\xb7   We judgmentally selected 146 information technology assets from the KISAM-AM to\n        physically verify and 96 information technology assets from the \xe2\x80\x9cfloor\xe2\x80\x9d to determine if\n        they were properly controlled in the KISAM-AM. Sixty-one of these items had\n        inaccurate data in fields that should be reviewed for accuracy.\n    \xef\x82\xb7   We analyzed the KISAM-AM and our judgmental sample identified 1,167 (1,123 + 22 +\n        22) asset records with inaccurate or invalid entries in the Serial Number field. Our\n        analysis also identified 59,320 (20,546 + 38,774) asset records with either a blank entry\n        in the Cost Center field or an invalid entry in the System Name field.\n\nType and Value of Outcome Measure:\n\xef\x82\xb7   Protection of Resources \xe2\x80\x93 Potential; 46 information technology assets costing $977,1791\n    could not be located or positively identified or were not controlled in the KISAM-AM\n    (see page 11).\n\nMethodology Used to Measure the Reported Benefit:\n    \xef\x82\xb7   We judgmentally selected 146 information technology asset records from the\n        KISAM-AM to physically verify. We could not locate or find support for 34 assets.\n        These items had an acquisition cost of $948,310.\n\n\n\n1\n The value of information technology assets reported in this section of the report was derived by using the data\nwhich appeared in the Purchase Price field within the KISAM-AM. According to the IRS, the KISAM-AM does not\ncalculate the current market value of its assets. As a result, these reported dollar amounts could be inflated.\n                                                                                                       Page 20\n\x0c                          Weaknesses in Asset Management Controls\n                    Leave Information Technology Assets Vulnerable to Loss\n\n\n\n    \xef\x82\xb7   We judgmentally selected 96 information technology assets to determine if the items\n        were properly controlled in the KISAM-AM. We identified 12 assets that were not\n        controlled in the KISAM-AM. These assets had a total estimated acquisition cost of\n        $28,869.\n\nType and Value of Outcome Measure:\n\xef\x82\xb7   Protection of Resources \xe2\x80\x93 Potential; 60 Class C information technology asset records with an\n    acquisition cost totaling $5,880,619 that were not verified (see page 11).\n\nMethodology Used to Measure the Reported Benefit:\n    We analyzed the KISAM-AM and identified 60 Class C assets that met the financial\n    statement reporting requirements but were not verified because the Certification Plan does\n    not include guidance that considers the acquisition value of assets. Information technology\n    assets are capitalized regardless of price or value, and equipment designated as other\n    equipment will be capitalized when the requisition funding line is greater than or equal to\n    $50,000 and has a useful life greater than two years. The 60 Class C assets met the\n    capitalization requirements.\n\n\n\n\n                                                                                         Page 21\n\x0c                             Weaknesses in Asset Management Controls\n                       Leave Information Technology Assets Vulnerable to Loss\n\n\n\n                                                                                      Appendix V\n\n                                  Glossary of Terms\n\nTerm                              Definition\n\nAnomaly Report                    Produced annually and provided by the Hardware Asset Management\n                                  office to identify inconsistencies or potential inaccuracies in the\n                                  KISAM-AM database.\nAsset Management Inventory        Annual document sent to individuals responsible for managing and\nCertification Plan                verifying information technology assets. This document provides\n                                  timelines and detailed guidance for completing the inventory and\n                                  reconciliation process.\nAsset Manager                     KISAM module that tracks information technology and\n                                  non\xe2\x80\x93information technology equipment used throughout the IRS.\nAwaiting Receipt                  The KISAM-AM asset assignment status of pending acceptance (to\n                                  be received) and usually in transit status.\nCampus                            The data processing arm of the IRS. The campuses process paper\n                                  and electronic submissions, correct errors, and forward data to the\n                                  Computing Centers for analysis and posting to taxpayer accounts.\nCertification Letter              A letter sent to each certifying organization populated with\n                                  information corresponding to assets controlled by the certifying area.\n                                  Each organization certifies on or about the end of July that an\n                                  inventory of all assets requiring certification has been completed.\nCertifying Organization           Organizations responsible for completing a Certification Letter and\n                                  Reconciliation Plan Letter.\nCustomer Service Support Center   Consists of Service Desk and Deskside groups, which provide\n                                  prompt and professional resolution of IRS end-user incidents and\n                                  problems.\nDatabase Administrator            An individual that performs all activities related to maintaining a\n                                  correctly performing and secure database environment.\n                                  Responsibilities include design, implementation, and maintenance of\n                                  the database system.\n\n\n\n\n                                                                                               Page 22\n\x0c                           Weaknesses in Asset Management Controls\n                     Leave Information Technology Assets Vulnerable to Loss\n\n\n\n\nTerm                           Definition\n\nDepot                          There are four Functional Equipment Depots: Brookhaven [formerly\n                               Volunteer Income Tax Assistance Program], Austin, Ogden, and\n                               Memphis. Equipment Depots perform inventory tasks and track\n                               assets that are either distributed and deployed in various locations or\n                               remotely located, requiring regular communication with end users\n                               and the Hardware Asset Management office.\n\nEnterprise Service Desk        Responsible for receiving incident reports, defining the incident\n                               category, determining the priority for all incident reports received,\n                               and overseeing the resolution process.\n\nIn Stock                       KISAM-AM asset assignment status of unplugged and reserved for\n                               future use.\n\n                               KISAM-AM asset assignment status of currently being used and is\nIn Use\n                               plugged in. The asset is in use, installed, and operational.\n\nInformation Technology         Provides a practical, no-nonsense framework for identifying,\nInfrastructure Library         planning, delivering and supporting information technology services\n                               to the business. It advocates that information technology services\n                               must be aligned to the needs of the business. It provides guidance to\n                               organizations on how to use information technology as a tool to\n                               facilitate business change, transformation, and growth.\n                               Maturity levels refer to an information technology organization\xe2\x80\x99s\n                               ability to perform. An organization passes through five evolutionary\n                               levels as it becomes more competent:\n                               Level 1: Initial \xe2\x80\x93 Focuses on technology and technology\n                               excellence/experts.\n                               Level 2: Repeatable \xe2\x80\x93 Focuses on products/services and operational\n                               processes (e.g., Service Support).\n                               Level 3: Defined \xe2\x80\x93 Focuses on the customer and proper service level\n                               management.\n                               Level 4: Managed \xe2\x80\x93 Focuses on business/information technology\n                               alignment.\n                               Level 5: Optimized \xe2\x80\x93 Focuses on value and the seamless integration\n                               of information technology into the business and strategy making.\n\nMissing                        KISAM-AM asset assignment status of lost, stolen, or temporarily\n                               missing assets until a determination is made.\n\n                                                                                              Page 23\n\x0c                           Weaknesses in Asset Management Controls\n                     Leave Information Technology Assets Vulnerable to Loss\n\n\n\n\nTerm                           Definition\n\nPinging                        Running the \xe2\x80\x9cping\xe2\x80\x9d command from the operating system prompt to\n                               determine if an asset is connected to the network.\n\nReconciliation Plan Letter     Letter sent to each certifying organization containing anomalous\n                               asset records requiring correction and modification to the\n                               KISAM-AM. The letter includes a commitment by the certifying\n                               official to ensure that all outstanding items are addressed by the end\n                               of September.\n\nRetired                        KISAM-AM asset assignment status of removed from active\n                               inventory and no longer used. This assignment is used in conjunction\n                               with disposal codes.\n\nTivoli                         Application that performs system and network management, and\n                               exports hardware inventory information to the KISAM-AM on a\n                               weekly basis.\n\n\n\n\n                                                                                             Page 24\n\x0c           Weaknesses in Asset Management Controls\n     Leave Information Technology Assets Vulnerable to Loss\n\n\n\n                                                  Appendix VI\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                         Page 25\n\x0c      Weaknesses in Asset Management Controls\nLeave Information Technology Assets Vulnerable to Loss\n\n\n\n\n                                                    Page 26\n\x0c      Weaknesses in Asset Management Controls\nLeave Information Technology Assets Vulnerable to Loss\n\n\n\n\n                                                    Page 27\n\x0c      Weaknesses in Asset Management Controls\nLeave Information Technology Assets Vulnerable to Loss\n\n\n\n\n                                                    Page 28\n\x0c'